This copy is for your personal non-commercial use only. To order presentation-ready copies of Toronto Star content for distribution to colleagues, clients or customers, or inquire about permissions/licensing, please go to: www.TorontoStarReprints.com

If the titans of the tech industry can get hacked, what hope is there for the rest of us?

That's the general conclusion after the news that Facebook's Mark Zuckerberg and former Twitter CEO Dick Costolo have had some of their social media accounts compromised in the past few weeks.

For Zuckerberg, it was his Pinterest and LinkedIn accounts. Then, Costolo's Twitter account suddenly featured some questionable tweets. He clarified online that it was another social account that had been compromised.

Both men were actually targeted by a hacker group called Our Mine, who often pursue high-profile victims and brag about their skills online. In May, they also hacked the SoundCloud account of Canadian musician Deadmaus.

For Zuckerberg and Costolo, it’s believed that the hacks originated from LinkedIn's 2012 data breach. That breach was initially thought to be 6.5 million records, but now is believed to have consisted of more than 117 million records.

Article Continued Below

The pair were obviously targeted, but the truth is that despite the fact that they are high profile and tech savvy, they are human and their technology usage is just as haphazard as the rest of us.

"In the case of Zuckerberg, the problem is that he used a s--t password," said Troy Hunt, a regional director for Microsoft and security researcher who created haveibeenpwned.com, one of the go-to sites to check if your accounts have been part of a breach.

"Once they got his password, it was game over," said Hunt. "But it barely even enters the realm of what we considered hacked."

Hunt started his site as a project, as he noticed the same compromised accounts appearing in the data dumps he was researching.

"I thought it would be an interesting exercise just to see how broad the exposure is," he said. "Because I thought — and consequently it seems to be the case — that people are just not aware how far the data is being spread around the web."

The bigger issue is the incredible growth rate of these breaches. He said at the beginning of the year there were 200 million records on his site. With subsequent data breaches, the number is now in the 2 billion range. So the size of data dumps is getting into the eight or nine-figure range and they are happening more frequently.

Dave Ostertag, global investigations manager, investigative response at Verizon Enterprise Services, said his team investigated 526 incidents in 2015, up from 400 in 2014. Ostertag’s enterprise services team is one of the largest in the world that has responded to approximately a third of the enterprise data breaches in the world, and it recently released its 2016 Data Breach Investigations Report.

Through its research, the company has found that 89 per cent of breaches had a financial or espionage motive. Despite scary-sounding terms like social engineering, spear phishing, malware, ransomware and scripts, researchers know that these are not necessarily sophisticated attacks, though they may sound like it.

"If you look at the tools they're using, like the Zeus Trojan — that's 20 years old now, but we still see it . . . in some of the biggest attacks to try and steal credentials and get access to the network," said Ostertag.

"That's not sophisticated. That's simple, send an email with some malware to steal your credentials,” he said.

“Some of the malware is (sophisticated), but that's a commodity. You can find vendors that will sell you the malware,” he said. “So I don't need the technical expertise, I just need to buy it from someone else."

Hunt points to the TalkTalk data breach in 2015, where the European wireless company had 157,000 customer records compromised. The culprit ended up being a 15-year-old who found a free tool online to do the breach.

"One thing we don't focus on enough, is that every time one of these companies get hacked, they've made multiple really serious mistakes, which resulted in this happening," said Hunt.

"It's very rarely (that) this was really a sophisticated attack that took advantage of a company that did everything right. That just doesn't happen."

Even if a company does do everything right, and trains its employees not to open strange-looking emails with dodgy attachments, Ostertag says Verizon's research finds 13 per cent of people will still open any email attachment.

In some ways, that may explain how effective and more common incidents of ransomware are becoming. A recent Kaspersky Lab report shows that ransomware attacks have increased 5.5 times in the past two years, with 131,111 reported in 2014-2015 compared to 718,536 in 2015-2016.

In Canada, high-profile ransomware attacks have centred around hospitals, but in early June, it was reported that the University of Calgary paid $20,000 in order to free its data after an attack.

Meanwhile, the cost of dealing with attacks is increasing — from the cleanup costs, legal fees and the growing business of cyber insurance.

According to an annual global data breach study done by IBM, the average cost of a data breach in Canada is $6.03 million, based on a country-specific study in which 24 companies participated. That's slightly higher than the average $4 million (U.S.) cost in the U.S.

Due to those costs and ramifications, the frequency of large-scale breaches means that the problem is rising to the executive level, with many understanding how serious the issue is.

Hunt points to legislation in Europe due to come into effect in 2018 that could make the costs even bigger.

"One of the things that I'll be anxiously watching is this General Data Protection Regulation . . . it promises to fine organizations up to 4 per cent of their gross revenue if they have an incident like this," said Hunt.

What happens when the next company with billions of dollars in revenue screws up its data security and faces a $40-million fine?

"That would really put the fear of God in these guys," he said.

Which might be necessary, as with hacks, attacks and breaches happening with more frequency, many consumers may just become desensitized to these type of things.

"I think that is the reality of it, it's just become such an accepted state of affairs that sites are going to get hacked," said Hunt.

"I don't know that everyone proceeds with that assumption when they provide data to a website, but certainly we're seeing it so frequently in the press now, and we're just going 'oh, another site got hacked.’"

Under attack

Social Engineering: In information security terms, it refers to psychological manipulation of people into performing actions or divulging confidential information. Usually referrs to non-technical means of getting information, like cold calling.

Phishing: The attempt to obtain financial or other confidential information from Internet users, typically by sending an email that looks as if it is from a legitimate user or company. Also include Spear Phishing, which is similar, but is more targeted at a specific person.

Malware: Is the catch-all term used to refer to a variety of malicious programs, including computer viruses, worms, ransomware, spyware and more.

Ransomware: A form of hostile software that once it infects your computer, encrypts the data, and leaves instructions, usually costing a fee, to unlock the computer.

Scripts: A computer program that basically automates an repetitive action.

SQL injection: A computer attack in which malicious code is embedded in an application and then passed onto the database. It then causes the application to produce database query results or actions that should never have been executed, like collecting and sending the data or information to a third party. It's often the method behind huge data leaks with millions of records.

The Toronto Star and thestar.com, each property of Toronto Star Newspapers Limited, One Yonge Street, 4th Floor, Toronto, ON, M5E 1E6. You can unsubscribe at any time. Please contact us or see our privacy policy for more information.

More from the Toronto Star & Partners

LOADING

Copyright owned or licensed by Toronto Star Newspapers Limited. All rights reserved. Republication or distribution of this content is expressly prohibited without the prior written consent of Toronto Star Newspapers Limited and/or its licensors. To order copies of Toronto Star articles, please go to: www.TorontoStarReprints.com